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Abstract 

We introduce the use, monitoring, and enforcement 
of integrity constraints in trust management-style au¬ 
thorization systems. We consider what portions of 
the policy state must be monitored to detect viola¬ 
tions of integrity constraints. Then we address the 
fact that not all participants in a trust management 
system can be trusted to assist in such monitoring, 
and show how many integrity constraints can be mon¬ 
itored in a conservative manner so that trusted par¬ 
ticipants detect and report if the system enters a pol¬ 
icy state from which evolution in unmonitored por¬ 
tions of the policy could lead to a constraint viola¬ 
tion. 

1 Introduction 

Trust management [4] (TM) is an approach to man¬ 
aging authorization in environments where author¬ 
ity emanates from multiple sources. Authorization 
policy consists of statements issued by many partici¬ 
pants, and resource sharing is facilitated by delegat¬ 
ing authority from one principal to another. 

A particular authorization is decided by posing a 
query to the system. An evaluation procedure com¬ 
bines the statements issued by all relevant principals 
to derive the query’s answer. By adding or removing 
a policy statement, a principal can potentially affect 
many authorizations of many principals. 

One of the difficulties of operating in such a context 
is that at present no system exists for monitoring 
unexpected consequences of policy changes made by 
other principals. Basically, in present TM systems, 
delegating trust implies losing a great deal of control 
on the policy involved the delegation. Let us first see 
three example of this. 
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Firstly, resources may become unavailable unex¬ 
pectedly. Consider for instance a team leader who 
needs to be informed if members of his team suffer in¬ 
terruption in their authorization for mission-critical 
resources. If the team’s mission involves rapid re¬ 
sponse, the notification of interruption should not de¬ 
pend on team members attempting to access a crit¬ 
ical resource and discovering its unavailability only 
because the attempt fails. What is needed is that 
the policy change triggers a procedure that pushes 
the notification to the team leader. 

Secondly: properties such as mutual exclusion can¬ 
not be guaranteed. While in the above example, the 
exceptional state involved someone losing authoriza¬ 
tion, Having someone unexpectedly gain authoriza¬ 
tion can be just as important to detect. For instance, 
it should be possible to trigger an action if a principal 
becomes authorized for two mutually exclusive pur¬ 
poses. Mutual exclusion is an approach often used, 
for instance in RBAC systems [18], to enforce sepa¬ 
ration of duty, a classic device aimed at preventing 
fraud. By ensuring that no individual is authorized 
to complete all parts of a sensitive task, the technique 
ensures that only a colluding group could misuse the 
capability. Because the participants in a trust man¬ 
agement system are autonomous, it is in general not 
possible to prevent a principal being given two au¬ 
thorizations. However, cooperating principals should 
be able to prevent another principal from gaining two 
mutually exclusive authorizations under the control 
of the cooperating group. What is needed is a way 
to distribute the mutual exclusivity requirement and 
monitor policy evolution to ensure that control over 
the key authorizations is not delegated outside the 
cooperating group. 

Thirdly: quality cannot be monitored. Consider 
the situation in which the principal A states, for in¬ 
stance, that he considers expert anyone that B con¬ 
siders an expert (A delegates to B the definition of 
“expert”). In addition, A expects experts to have a 
PhD degree. Now, A has no way of controlling that 
all experts added by B actually have doctorates. Of 
course, A could modify his policy as follows “A con¬ 
siders expert anyone holding a PhD that B considers 
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an expert”. However often it would be preferable for 
A to know whether a non-PhD had been added to 
the expert list because it might suggest to A that an 
exception to H’s policy is acceptable, or that some 
other evolution of H’s policy should take place (per¬ 
haps it is time to revoke the trust in B’s experts). 
Thus, what A needs is to be able to monitor whether 
B ever decides that a non-PhD is an expert. Notice 
that this is what would happen in practice: before 
delegating to B the definition of expert A would nor¬ 
mally put in place a monitoring activity to guarantee 
that B’s expert fulfill the quality criteria. Unfortu¬ 
nately, present decentralized TM systems do not al¬ 
low for such monitoring. 

Summarizing, there is a need for a mechanism to 
monitor a TM system and to reveal when an ex¬ 
ceptional state has been entered so that appropriate 
steps can be taken proactively. Ideally, it would even 
be possible to enlist the assistance of others in pre¬ 
venting exceptional states from arising. The problem 
of providing such a monitoring system is aggravated 
by the fact that changes are made by autonomous 
principals that may not agree or be trusted to assist 
in the monitoring. 

In this paper we introduce a new trust manage¬ 
ment construct called a constraint, inspired by in¬ 
tegrity constraints in database management systems 
(see, e.g. [9, 6]), that provides system participants 
the ability to monitor the evolution of the policy. The 
author of a constraint receives notification when the 
constraint is violated. This is achieved by enlisting 
the assistance of principals to which authority is del¬ 
egated and triggering constraint checks when those 
principals make relevant policy changes. The empha¬ 
sis in this paper is on determining whether a policy 
change is relevant, or can be ignored. 

In addition we also consider the setting in which 
some principals are not trusted or willing to help 
monitoring a constraint. As mentioned above, in 
some environments, it is not appropriate to assume 
that all principals to whom one delegates authority 
will assist in monitoring one’s constraints. By provid¬ 
ing a sufficiently expressive constraint language, we 
show how to limit to an arbitrary, specified set those 
principals that are trusted to cooperate in monitor¬ 
ing a constraint. This is done by allowing a con¬ 
straint to express a security analysis problem of the 
kind formulated by Li et al. [15]. Such a constraint 
quantifies over policy states that are reachable by 
policy changes made by untrusted principals asking 
whether a given query holds either in all reachable 
states (universal quantification) or in some reachable 
state (existential quantification). By checking such a 
constraint each time the trusted principals make rel¬ 


evant policy changes, and committing their changes 
only if the constraint is satisfied, the trusted princi¬ 
pals can ensure that a state violating the constraint 
is never entered, no matter what the untrusted prin¬ 
cipals do. They are able to do this because the un¬ 
trusted principals are unable to affect the validity of 
the constraint. 

The technical contribution in this paper is a 
method to identify portions of the policy state that 
must be monitored in order to detect constraint vio¬ 
lations. We do this first under the assumption that 
all principals in the system can be trusted to assist in 
monitoring the portion of the policy state under their 
control. We then relax this assumption by requiring 
only that a given portion of the policy can be reliably 
monitored. In this case, monitoring is carried out by 
using security analysis to assess the possibility of the 
constraint becoming violated by policy changes that 
cannot be monitored directly. 

Section 2 discusses the TM policy language that we 
use. Section 3 identifies the portion of the policy state 
to be monitored for constraint violations, assuming 
all portions can be monitored. Section 4 shows how 
to monitor constraints for potential violations when 
not all parts of the policy state can be monitored 
directly. Section 5 discusses related work. Section 6 
concludes. Some proofs are reported in the appendix. 

2 Preliminaries 

Trust management [4, 2, 3, 17, 7, 5, 10, 11, 16, 15, 12, 
14, 19] is an approach to access control in decentral¬ 
ized distributed systems with access control decisions 
based on policy statements issued by multiple princi¬ 
pals. In trust management systems, statements that 
are maintained in a distributed manner are often digi¬ 
tally signed to ensure their authenticity and integrity; 
such statements are sometimes called credentials or 
certificates. This section presents the trust manage¬ 
ment language RTq [15], which we use in this paper. 

The Language RTq 

A principal is a uniquely identified individual or pro¬ 
cess. Principals are denoted by names starting with 
an uppercase, typically. A, B, D. 

A principal can define a role, which is indicated 
by principal’s name followed by the role name, sepa¬ 
rated by a dot. For instance A.r, and GMU.students 
are roles. For the sake of simplicity we assume that 
A is the owner (or the administrator) of A.r, though 
the results of this papers apply also in the case A.r 
is owned by some other principal. We use names 
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starting with a lowercase letter (sometimes with sub¬ 
scripts) to indicate role names. 

A role denotes a set of principals (the principals 
that populate it, i.e., the members of the role). To 
indicate which principals populate a role, RTq allows 
the owning principal to issue four kind of policy state¬ 
ments: 

• Simple Member: A.r <— D 

With this statement A asserts that D is a mem¬ 
ber of A.r. 

• Simple Inclusion: A.r <— B.ri 

With this statement A asserts that A.r includes 
(all members of) B.ri. This represents a dele¬ 
gation from A to B, as B may add principals 
to become members of the role A.r by issuing 
statements defining (and extending) B.ri. 

• Linking Inclusion: A.r < — A.ri.r 2 

We call A.ri.r 2 a linked role. With this state¬ 
ment A asserts that A.r includes B.r 2 for every 
B that is a member of A.ri. This represents a 
delegation from A to all the members of the role 
A.ri. 

• Intersection Inclusion: A.r < — Bi.ri n B 2 .r 2 

We call Bi.ri n an intersection. With this 
statement A asserts that A.r includes every prin¬ 
cipal who is a member of both Bi.ri and B 2 .r 2 . 
This represents partial delegations from A to Bi 
and to i? 2 - 

For any statement A.r <— e, A.r is called the head 
and e is called the body of the statement. We write 
head {A.r < —e) = A.r. The set of statements having 
head A.r is called the definition of A.r. 

The definition of RTq given here is a slightly sim¬ 
plified (yet expressively equivalent) version of the one 
given in [15]. A policy state {state for short, indicated 
by V) is a set of policy statements. Given a state V, 
we define the following: Principals('P) is the set of 
principals in V, Names('P) is the set of role names 
in P, and Roles(7^) = {A.r | A G Principals(7^), r G 
Names(7^)}. 

To express constraints, we need one last definition: 

Definition 2.1 Positive roles expressions are de¬ 
fined by the following grammar: 

• sets of principals are positive role expressions, 

• roles are positive role expressions, 

• union and intersections of positive role expres¬ 
sions are positive role expressions. □ 


E.g., A.r, A.r U {A,B} and A.r ni3.ri.r2. Positive 
role expressions, and are denoted by Greek letters, 
(j>, A, and p. A positive role expression containing no 
roles (but only sets of principals) is called static. 

Semantics 

The semantics of a policy state is defined by translat¬ 
ing it into a logic program. The semantic program, 
SP{V), of a state V, is a Prolog program has one 
ternary predicate m. Intuitively, m{A, r, D) means 
that D is a member of the role A.r. 

Definition 2.2 (Semantic Program) Given a 
state V, the semantic program SP{P) for it is the 
logic program defined as follows: (here symbols that 
start with “?” represent logical variables) 

• For each A.r<— D G P add to SP{P) the clause 
to(A, r, D) 

• For each A.r <— B.ri S P, add to SP{P) the 
clause 

m(A, r, 7Z) :— m{B, ri,?Z) 

• For each A.r<—A.ri.r 2 G P add to SP{P) the 
clause 

m(A, r, IZ) :— m{A, n, ?F), m{7Y, r 2 , 7Z) 

• For each A.r <— Bi.ri(^B 2 .r 2 G P add to 5'P(P) 
the clause 

m{A,r,7Z) :- m{Bi,ri,7Z), m{B2,r2,7Z). □ 

We can now define the semantics of a role in a state. 

Definition 2.3 (Semantics) Given a state P, the 
semantics of a role A.r is defined in terms of atoms 
entailed by the semantic program: 

• lA-rjsp{v) = {Z\SP{P) \= m{A, r, Z)} □ 

We extend this semantics to positive role expressions 
in the natural way as follows: 

l{Di, . . . , Dn}lsP(V) = {Dl,---,Dn} 

l(j)l U 4>2jsP(P) = l4>llsPiP) U l4>2jsP{P) 

{(fl n 4>2\sP(V) = l4>llsPiP) l4>2jsP{P) 

3 Constraints 

Consider a state P, which might change in time. We 
are interested in defining a constraint, which intu¬ 
itively is a query that is intended to hold throughout 
the state changes. To this end, we focus on the class 
of constraints already considered for the purposes of 
security analysis in [13]. These constraints express 
set containment. 
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Definition 3.1 A constraint is an expression of the 
form {O, A C ^?), in which O is a principal called 
the owner of the constraint, and A and g are positive 
role expressions. □ 

The following definition clarifies that C represents 
set containment. 

Definition 3.2 Let "P be a state and Q be the con¬ 
straint {O, A C p), we say that 

• V satisfies Q {V h Q) iff |A]spcp) C |p] 5 p(p) 

{V violates Q otherwise) □ 

Constraints of this form can capture many impor¬ 
tant and intuitive requirements. 

• Consider (O, {Bob} fi A.r C 0). This constraint 
captures a safety requirement that Bob must not 
become a member of A.r. 

• The constraint {O, {Alice} C A.r) captures 
the availability requirement that Alice must be 
authorized for A.r. 

• The constraint (O, A.manager fi B.controller C 
0) captures the mutual exclusivity require¬ 
ment that no one must be authorized for both 
A.manager and B.controller. 

Example 3.3 Suppose the Bureau of Alcohol, To¬ 
bacco, Firearms and Explosives (ATE) operates a 
database containing information about hazardous 
materials (HAZMAT) for use by emergency response 
personnel. The AT F individually authorizes users so 
as to retain tight control over the sensitive informa¬ 
tion contained in the database. It does this by issuing 
statements such as: 

ATF.hazmatDB <— Rollins (1) 

The Emergency Response Center [Emergency) 
wants to ensure that all its hazmat emergency re¬ 
sponse personnel have access to the database at all 
times. This is expressed by the constraint 


3.1 Monitoring Constraints 

We now see how we can put in place a system for 
monitoring constraint violations. Let P be a state, 
and consider the constraint Q = (O, A C p). As¬ 
suming that V changes in time, we are interested in 
monitoring when Q is violated. 

Definition 3.4 Let V i —> V' be a state change from 
V to V. We say that 

• the change violates Q if P h Q and P' 1/ Q 

Notice that if a change violates the constraint, then 
there exists D such that D ^ |A]sp(p) \ [£']sp(p), 
while D G |A] 5 p(p') \ This remark points 

out an important feature of containment constraints: 
that if they are violated then there exists a specific 
set of principals violating it. 

To monitor the system, a feature of RT we are 
going to exploit is its monotonicity: adding a state¬ 
ment to P cannot cause the set semantics of a role to 
shrink. Similarly, removing a statement cannot cause 
the set semantics to grow. Formally, for each role A.r 
and each statement stmt 

^ o {stmt}) 

[^•■^IsPCP) 2 sp{v\{stmt}) 

Therefore, adding a statement to P can only augment 
the set |A] 5 p(p) and |p] 5 p(p). Consequently, if we 
assume that P initially satisfies A C g, we see the 
following: 

• Adding a statement to P can yield to a violation 
of A C p only if the addition affects |A] 5 p(p). 

• Removing a statement from P can yield to a 
violation of A C p only if the removal affects 
[£']sp(p)- 

We now want to further isolate the roles that might 
influence the satisfaction of a constraint. 


[Emergency ^ 

Emergency.hazmat Personnel C ATF.hazmatDB) 


Example 3.5 Consider the 
ments. 


following set of state- 


We assume that Emergency.hazmatPersonnel is 
defined by the collection of statements (2) • • ■ (8) in 
Table 1. Suppose the following two statements are 
added: 

Police.responsePersonnel <— Rollins (9) 

Police.responsePersonnel <— Burke (10) 

When these statements are added, it must be checked 
whether they cause violations of the constraint. Cre¬ 
dential (9) does not cause a violation, but (10) does, 
and the Emergency Response Center must be notified 
accordingly. □ 


A.r ^ 

— A.r.r 

(2) 

A.r ^ 

- B 

(3) 

B.r ^ 

- C 

(4) 

C.r ^ 

— D.r 

(5) 

E.r ^ 

- F 

(6) 


It is easy to see that [A.r] 5 P(p) is {P,C}. Notice 
now that if we add a statement D.r <— E, then 
|A.r| 5 p(p) grows to {B,C, E, F}. Therefore we can 
say that D.r may positively affect A.r. We see that 
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Table 1: Policy State of Example 3.3 


ATF.hazmatDB <— Rollins 

Emergency .ha zmat Personnel <— Emergency .responsePersonnel n ATF.hazmatTraining 

Emergency.responsePersonnel <— Emergency .dept.responsePersonnel 

Emergency, dept <— Fire 

Emergency, dept <— Police 

ATF.hazmatTraining <— Rollins 

ATF.hazmatTraining <— Burke 

ATF.hazmatTraining <— O'Connel 

Additional Statements 


( 1 ) 

( 2 ) 

(3) 

(4) 

(5) 

( 6 ) 

(7) 

( 8 ) 


Police.responsePersonnel <— Rollins 
Police.responsePersonnel <— Burke 

The semantics of "P = {(1), ..., (8)} is 

\ATF.hazmatDB\gp(^'P^ = 
\ATF.hazmatTraining\sp(^-p) = 
{Emergency.hazmatPersonneljsPtP) = 
{Emergency.responsePersonnelJsPiv) = 
{Emergency .depi\sp(v) = 

The semantics of V' = V U {(9), (10)} is 

\ATF.hazmatDB\gp(^pi^^ = 
{ATF.hazmatTraining\sp(^P''^ = 

{Emergency .hazmatPersonnel\sp{v') = 
{Emergency.responsePersonnellsp(V') = 
{Emergency .dept\sp{v) = 
{Police.responsePersonnel\sp(V') = 


{Rollins} 

{Rollins, Burke, O'Connel} 

0 


{Fire, Police} 


{Rollins} 

{Rollins, Burke, O'Connel} 
{Rollins, Burke} 

{Rollins, Burke} 

{Fire, Police} 

{Rollins, Burke} 


(9) 

( 10 ) 
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{A.r,B.r^C.r,D.r} is the set of roles that can posi¬ 
tively affect A.r. Dually, we can define the set of roles 
that may affect the shrinking of |A.r] 5 p( 7 r.). Here, it 
is easy to see that the only way of “reducing” the se¬ 
mantics [H.rjppi-p) of A.r is by removing one of the 
statements (2), (3) or (4). Since these statements de¬ 
fine the roles A.r and B.r we can say that {A.r, B.r} 
is the set of roles that can negatively affect A.r. □ 

This section constructs two sets of roles whose defi¬ 
nitions determine the membership of a given role X.u 
in state V. If the membership of X.u were to grow, 
some role in one of these sets would have to have a 
new statement in its definition, and if the member¬ 
ship of X.u were to shrink, some role in the other 
set would have to have a statement in its definition 
revoked. 

Positive Dependencies 

Given a set V and a role A.r we want to isolate a set 
r-p{A.r) of roles we have to monitor, as they might 
affect the growth of |H.r] 5 p(p). 

Definition 3.6 Let A.r be a role and P be a state; 
r-p{A.r) is the least set of roles containing A.r and 
satisfying the following: 

• If B.rQ e r-p{A.r) and H.rg <— B.ri S V, then 
B.ri G r-p{A.r). 

• If B.ro G r-p{A.r) and B.rg <— B.ri.r2 G V, 

then B.ri & and X.r2 G F-p^A.r) for all 

X G |i?.ri]sp(p). 

• If B.ro S r-p{A.r) and B.ro< — Bi.n fl ... fl 

Bji-Vn G V, then for each i G [l,n] Bi.Vi G 
r-p{A.r). □ 

The main properties of r-p(.) we will make use 
of are summarized in the following lemma, which is 
proved in the appendix 

Lemma 3.7 Let V = V U {stmt}, where 
head(stmt) ^ r-p{A.r), then 

(a) |Gl.r]sp(p) = lA.rjsPiv), and 

(b) MA.r) = rp,{A.r). 

Moreover, if P' is obtained from P by (a) adding zero 
or more statements whose head is not in r-p{A.r), and 

(b) removing zero or more statements, then 

(c) lA.r}sp(v) 2 lA.rjsp{P'), and 

(d) rp(A.r) A rpi(A.r). □ 

Example 3.8 


• Returning to Example 3.3, the left-hand side of 
the constraint 

Emergency.hazmatPersonnel C ATF.hazmatDB 
is Emergency .hazmatPersonnel. So 

rp{Emergency.hazmatPersonnel) = 

{ Emergency.hazmatPersonnel, 
Emergency.responsePersonnel, 

AT F.hazmatT raining. 

Emergency.dept. 

Fire.responsePersonnel, 

Police.responsePersonnel } 

is the set of roles for which addition of new state¬ 
ments must be monitored. 

• Consider the policy state in Example 3.5. Then 
rp{A.r) = {A.r,B.r,C.r,D.r}. 

• Suppose P contains only the statement 

{A.ro <— H.ri.r 2 ,}. Then Pp^A.ro) = 
{A.ro, A.ri], and |A.ro]spcp) = Now, if we 
add a new statement A.ri < — B to P (obtain¬ 
ing P') then |^.ro] 5 p(p') is still the empty set, 
while Ppi^A.ro) is now {A.ro, A.ri, B.r2}. D 

For efficiency reasons, we would like Pp^A.r) to be 
as small as possible, while maintaining the properties 
stated in Lemma 3.7. There are two reasons why 
/p(H.r) is non-minimal: the first reason is that an 
intersection inclusion can act as a hlter. For instance, 
if A.r <— Bi.ri D i? 2 .r 2 G P and \Bi.ri}sp{v) = 
0, there is no point in adding i? 2-?’2 to Pp^A.r) as 
any change to i? 2 .r 2 will not affect the membership 
to A.r. The second reason concerns linked roles: if 
A.r <— H.ri.r 2 G P and there exists no role B.r 2 
such that for some D, D e lB.r 2 }sp{p) \ 
then we could avoid adding A.ri, to rp(A.r), as any 
addition to i? 2 -C 2 would not affect the membership 
to A.r. However, refining the definition Pp^A.r) to 
take these factors into consideration would make its 
definition more complex than seems practical. 

Negative Dependencies 

Now, we need to isolate the dual of rp{A.r), i.e., a 
set of roles that might cause lA.r}sp(v) to shrink. 
To this end, we say that that E is a P-support of D 
for A.r if the roles in S carry enough information to 
demonstrate that D G |^.r’] 5 P(p). We denote by P|s 
the restriction of P to the roles in S, P\y: = {stmt G 
P\head{stmt) G E} 

Definition 3.9 Let A.r be a role, I? be a principal, 
■p be a set of statements and and E be a set of roles. 
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• We say that S is a V-support of D for A.r if 

D G |^.r]5p(p|^). 

• For L C Principals(7^), we say that S is a "P- 
support of L for A.r if D G [^•^]sp(p|e) for 
every D € L. 

• We say that E is a V-support for A.r if and only 
if it is a P-support of every D G lA.rJppcp). □ 

Example 3.10 

(i) Consider again the policy state in Example 3.5. 
Any set containing {A.r, B.r} as a subset is a 
support for A.r. 


Putting Things Together 

We can now prove the result we were aiming at. 
Suppose we need to deploy the integrity constraint 
Q = \ C g on P. The first step we need to take is to 
check if P satisfies Q. This is can be done as follows: 

1. First, |AJsp(p) is computed. 

2. Then, for each D G |A]sp(p), we check that D G 
l£'l5P(P)- 

In step 2, while checking that D G |A]sp(p) it is 
usually possible to build for free a P-support of D 
in Q. Once we have checked that P satisfies Q, we 
want to make sure that changes to P do not cause a 
violation of Q. For this we have the following. 


(ii) In case of redundancies, minimal support might 
not be unique. Consider 


A.r <— 

— B.r 

A.r ^ 

-C.r 

B.r^ 

-F 

C.r^ 

-F 


Here, both [A.r, B.r} and [A.r, C.r} are support 
for A.r. □ 

We can now state the counterpart of Lemma 3.7. 

Lemma 3.11 Let A.r be a role, I? be a principal, P 
be a state and E be a P-support of D for A.r. Then 

1. P G |A.r]5p(73) 

Moreover, if P' is obtained from P by (a) removing 
zero or more statements whose head is not in E, and 
(b) adding zero or more statements, then 

2. E is a P'-support for A.r, and therefore 

3. P G lA.rlsp(-p>) 

Proof. Point 1 follows immediately from the fact that, 
by monotonicity, lA.rjsp(v) P lA.rjsp{p\s)- For 
points 2 and 3, by the construction of P' we have 
that P|e C P', so the results follows from the defi¬ 
nition of support and the fact that the semantics is 
monotonic. □ 

To build a P-support of P for A.r one basically 
has to collect all the roles used to prove that P G 
|A.r| 5 p(-p). In the appendix we give an algorithm 
to compute minimal P-support while evaluating role 
membership. 


Theorem 3.12 (Main) Assume that P satisfies the 
constraint {O, A C £<). Let E be a P-support of 
|Alsp(p) for g, and let P i—> P' be a (possibly mul¬ 
tistep) change from P to P'. If 

(i) V stmt€ P'\P, head{stmf) ^ Pp(A), and 


(ii) V stmt G P\P', head{stmt) ^ E 


Then P' satisfies the constraint {O, A C p) as well. 


Proof. 


Take any 
By Lemma 3.7, 
Since by assumption, P X Q g. 
By Lemma 3.II, 


Hence the thesis. 


D G |A]sp(p/) 
-D G |A]5 p(p) 
D G |£']sp(p) 
D G |£']sp(p') 
□ 


Theorem 3.12 also shows that, as long as the 
changes to P satisfy (i) and (ii), we do not have to 
recompute the set Pp(A) or the support E. Techni¬ 
cally, this is due to the fact that changes satisfying 
(i) and (ii) do not affect E (by Lemma 3.11, E is still 
a support of g), and can only reduce the set Pp(A) 
(by Lemma 3.7). When statements defining roles in 
Pp(A) are issued, (i) is violated, and when statements 
defining roles in E are revoked, (ii) is violated. At 
these times, the constraint must be checked and the 
sets Pp(A) and E must be recomputed. 

The theorem indicates how a system for monitoring 
constraints should be deployed: the first step (men¬ 
tioned above) is to check that P satisfies A C p. 
While doing this, we can build an appropriate E. 
Secondly, we have to build Pp(A). Thirdly, we need 
to put in place monitoring of the roles in E and in 
Pp(A) such that each time a statement defining a role 
in P-p(A) (resp. E) is added to (resp. deleted from) P, 
the constraint owner is warned. When the constraint 
owner receives a warning he has to (a) check whether 
the constraint still holds, and (b) recompute Pp(A) 
and E. 
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Example 3.13 

• Returning to Example 3.3, to monitor 
{Emergency, Emergency.hazmatPersonnel Q 
ATF.hazmatDB), we must monitor 
revocation of definitions of roles in 
some "P-support of each member of 

\Emergency.hazmatPersonnel\sp{v) 

for ATF.hazmatDB. In this example, 
E = {ATF.hazmatDB} is a P-support of 
each such member for ATF.hazmatDB. 
We must also monitor additions to 
T'p{Emergency.hazmatPersonnel), as dis¬ 
cussed in Example 3.8. If new statements 
are added defining other roles, no action has 
to be taken. Similarly, if statement (10), 
Police.responsePersonnel <— Burke, were 
removed, no action would be necessary because 
Police.responsePersonnel is not in E. 

• Consider now Example 3.10 (ii), together with 
the query {F} C A.r. To apply Theorem 
3.12, we have to choose one support of F for A.r 
(the two candidate support are {A.r, B.r} and 
{A.r, C.r}) and monitor the roles in it. Sup¬ 
pose we choose E = {A.r, B.r}. Suppose we 
now remove the statement B.r< — F. This does 
not yield to a violation of the constraint, but 
we do have to recompute E, which now becomes 
{A.r, C.r}. 

• Finally, it is also instructive to see that a change 
in /^(A) might require recomputing E, even if it 
does not entail a violation of the constraint. Let 
V be the following set of statements: 

A. r <— E 

B. r <— C.r 

B. r <— D.r 

C. r <— E 

D. r <— F 

together with the constraint A.r C B.r. This 
constraint is satisfied and to monitor its evolu¬ 
tion we have to monitor the roles in T-p(A.r) = 
{A.r} and E = {B.r, C.r}. Now if we add the 
statement A.r <— F then the constraint owner 
is warned that a change in r'-p(A) has occurred. 
The constraint owner can check that the con¬ 
straint is still satisfied in P' = P U {A.r^ — F}; 
however E has to be recomputed to take into ac¬ 
count that it should be a P'-support of F too. 
The new E is {B.r, C.r, D.r}. □ 


3.2 Alternative Support Definition 

We have defined the V-support E to be a set of roles. 
Alternatively, we could have defined E to be a set of 
credentials. 

Definition 3.14 (Alternative definition of support) 

Let A.r be a role, P be a principal, P be a set of 
statements and and E C P be a set of credentials 

• We say that E is a V-support of D for A.r if 
D e |A.r]5p(x'). 

• For L C Principals(P), we say that E is a P- 
support of L for A.r if P S |A.r] 5 p( 2 ;) for every 
D eL. 

• We say that E is a V-support for A.r if and only 
if it is a P-support of every P G |A.r]sp(p). □ 

Monitoring constraint using this definition requires 
more machinery than using Definition 3.9, but it 
could yield to a more efficient implementation. With 
this definition one monitors the credentials and not 
the roles which might affect the right hand side of 
the constraint. Therefore, to apply this definition 
one needs a mechanism for monitoring every single 
credential of E (which might be difficult). 

Theorem 3.15 (Main with alternative definition) 

Assume that P satisfies the constraint {O, X F g). 

Let E be a P-support of |A]sp(p) for g (according 
to Definition 3.14), and let P i—> V be a (possibly 
multistep) change from V to V'. If 

(i) V stmt G V'\V, head{stmt) ^ Pp(A), and 

(ii) V stmt G P\P', stmt ^ E 

Then V' satisfies (O, A C g) as well. □ 

The advantage of Definition 3.14, is that the hy¬ 
pothesis of Theorem 3.15 hold more often than those 
of Theorem 3.12. In other words, using Definition 
3.14 one has to check whether the query still holds 
and to recalculate Pp(A) and E less often than with 
Definition 3.9. 

4 Monitoring When Not All 
Participants Are Trusted to 
Help 

The previous section showed how principals in a 
trust management system can monitor integrity con¬ 
straints by monitoring changes in the definitions of 
certain roles. This section considers the problem of 



monitoring integrity constraints when not all princi¬ 
pals in the system agree to assist in monitoring their 
roles. The idea is to make the assumption that the 
owners of a certain set of roles are trusted to mon¬ 
itor new statements added to their definitions. We 
call these the growth-trusted roles and denote them 
by Q. Similarly, the owners of a set of shrink-trusted 
roles, denoted S, are trusted to monitor statements 
removed from their definitions. The owners of these 
roles are trusted to test whether changes made to un¬ 
trusted roles could violate the constraint and, if so, 
to signal that potential violation. We call the pair 
TZ = {G,S) a role monitor because it indicates the 
roles that can be monitored with respect to growth 
and shrinkage. 


Definition 4.1 (Reachable) In the presence of a 
role monitor TZ, we say that V' is 7?.-reachable from 
V if V can be obtained from V without adding any 
statements defining roles in G or removing any state¬ 
ments defining roles in S. That is to say, {stmt G 
V'\head{stmt) € G} QV and [stmt G V\head{stmt) G 
S} C V'. □ 

The problem we address is to monitor whether the 
system ever enters a state V from which some reach¬ 
able V' violates A C gi. This problem is closely 
related to the security analysis problem [13], which 
also is defined in terms of a role monitor TZ = (G, S), 
although in that context it is called a restriction rule. 
In security analysis, the definitions of roles in G are 
assumed not to grow and those of roles in S, not to 
shrink; the security analysis problem is to determine 
whether other changes to the policy state could cause 
a constraint to become violated. In [13] it was shown 
that this problem is decidable (coNEXP) for RTq 
over the class of constraints we consider here, and 
that it is polynomial for an important subclass of 
those constraints. What has not been shown before, 
and what we show in this section, is how to identify 
subsets of G and S that need to be monitored so that 
security analysis can be used to maintain integrity 
constraints. 

In the rest of this section, we introduce alternative 
semantics that can be used to answer questions about 
policy states that are reachable through changes to 
the definitions of untrusted roles. We then formal¬ 
ize sets of roles that must be monitored and show 
that monitoring these roles is sufficient. Finally, we 
provide a method for monitoring integrity constraints 
when not all principals in the system are trusted to 
assist the process. 


Alternative Semantics 

We now recall two non-standard semantics for a pol¬ 
icy state V and role monitor 7Z. These were intro¬ 
duced [13] for computing the lower and upper bounds 
on role memberships under the assumption that the 
definition of roles in G do not grow and the definition 
of roles in S do not shrink. We first recall the lower- 
bound program for a state V and a restriction TZ; this 
program enables one to compute the lower-bounds of 
every role. 

Definition 4.2 (Lower-Bound Program [13]) 

Given V and TZ, the lower-bound program for them, 
LB{'P,TZ), is constructed as follows: 


(bl) 

For each A.r 4 

— D in 

P\n, add 



lb (A, 1 

r, D) 




(b2) 

For each A.r 4 

— B.ri 

in Pin, add 



lb{A, r. 

IZ) 

lb{B, ri 

,7Z) 


(b3) 

For each A.r 4 

— A.ri. 

r 2 in P\ti, add 



lb{A, r. 

IZ) 

lb{A, ri 

,?r), lbi7Y,r2, 

7Z) 

(b4) 

For each A.r 4 

— Bi-n 

n B 2 .r 2 in V\ti 

, add 


lb{A, r. 

IZ) 

lb{Bi,ri,lZ), lb{B 2 ,r 2 



We now recall the upper-bound program for a state 
V and a role monitor TZ. This program enables one 
to simulate the upper-bound of any role. 

Definition 4.3 (Upper-Bound Program [13]) 

Given 'P and TZ = {G,S), their upper-bound pro¬ 
gram, UB{V,TZ), is constructed as follows. (T is a 
special principal symbol not occurring in P, TZ, or 
any query Q.) 

(u) Add ub{T, ?r, ?Z) 

(uO) For each A.r G Roles('P)\t/, add 
ub{A, r, IZ) 

(ul) For each A.r<— D in P, add 
ub{A, r, D) 

(u2) For each A.r< — B.ri in P, add 
ub{A,r,lZ) ub{B,ri,7Z) 

(u3) For each A.r< —A.ri.r 2 in V, add 

ub{A,r,7Z) ub{A,ri,lY),ub{7Y,r2,7Z) 

(u4) For each A.r< — Bi.ri n B2-?"2 in P, add 

ub{A, r, IZ) ub{Bi,ri,lZ), ub{B 2 ,r 2 , IZ) □ 

The rules (ul) to (u4) follow from the meanings 
of the four types of statements and are similar to 
the semantic program construction in Definition 2.2. 
The rule (uO) means that for any role A.r not in 
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Q, the upper-bound of A.r contains every principal. 
The rule (u) means that for any role name r, the 
upper-bound of T.r contains every principal. This is 
so because T does not appear in Q. The rule (u) is 
needed because given A.r< — A.ri.r 2 , where A.r G Q 
and A.ri ^ Q, we should ensure that the upper-bound 
of A.r contains every principal. We define: 

= {Z \ ub{r)\=m{A,r,Z)} (7) 
= {Z \ lbiV)\=m{A,r,Z)} (8) 

And by definition we have that 

Remark 4.4 

• If A.r ^ S then = 0. 

• If A.r ^ Q then |A.r] = Principals(7^) U 

{T}. □ 

The next theorem gives the link between the two 
new semantics and the problem of checking that a 
constraint is satisfied in all reachable V'. 

Theorem 4.5 ([13]) Let 77 be a role monitor, P be 
a state, and A C p be a containment constraint. 

• If IHuB{v) ^ MlB{v) P' ^ X Q gioT 
each P' reachable from P, 

• if either A or p is static (i.e., it is a set of prin¬ 

cipals) then 7^' h A C p for each P' reachable 
from P implies that |A] C |p] □ 

We now proceed as in the previous section, by iden¬ 
tifying the roles we have to monitor. 

Positive Dependencies, with Untrusted Roles 

In the light of Theorem 4.5, given a state P, a role 
monitor 77, and a role A.r, we want to isolate a 
set r^{A.r) of roles we have to monitor, as they 
might affect the growth of |A.r] . One might 

think that when some roles are untrusted, we need 
only restrict Ip (A.r) to the t7-roles (or to check that 
r-p{A.r) C Q). The following example shows that this 
is not adequate. Consider the constraint A.r C B.r, 
where A.r is defined by 

A.r <— C.r n D.r (9) 

D.r ^ E.r (10) 


^Actually, though we do not prove it here, we believe that 
a stronger version of this part holds, stating that if /’■p(A) n 
^vie) = 0 then 7"' h A C for each V' reachable from V 
implies that muB(v) C lelLB(V)- 


A.r depends on C.r, D.r and E.r (which are in 
r-p{A.r)), and, if we used the method of the pre¬ 
vious section, we would have to monitor all three of 
them. We now make two observations about mon¬ 
itoring when it is not possible to monitor all three 
roles. First, if E.r is not in Q, we cannot monitor 
it. This implies that there is no point in monitoring 
D.r either, as it directly depends on E.r. Second if 
D.r is not in Q, there is no point in monitoring it nor 
in monitoring E.r (which can only influence A.r via 
D.r). 

To cope with this we now define the P-core of Q, 
which intuitively contains those role of Q which ad¬ 
ditionally do not fully depend on an untrusted role. 

Definition 4.6 (P-Core) Let 7^ be a state and Q 
be a set of roles. The P-core of Q, core-p{Q), is the 
maximal subset of Q such that 

• If A.r < — B.ri G P, and B.ri ^ core-p{G), then 
A.r ^ core-p{G) 

• If A.r <— A.ri.r 2 G P, and A.ri ^ core-piG), 
then A.r ^ corep(G). 

• If A.r < — A.ri.r 2 G P, and 37? G [A.ri] 
such that B.r 2 0 corep{G), then A.r ^ 
corep{G). 

• If A.r <—Ai.ri n ... (3 A„.r„ G P, and for every 
i, Ai.n ^ corcpifG), then A.r ^ corep{G). □ 

The following proposition is proved in the ap¬ 
pendix. 

Proposition 4.7 Let P be a set of statements and 
G he a set of roles. 

• If A.r ^ corepiG), then |A.r] = 

Principals(P) U {T}. □ 

We now construct the set of roles that must be 
monitored for new definitions to detect growth in a 
role’s membership. 

Definition 4.8 Let Ap.ro be a role in corep{G), P 
be a role monitor, and P be a state; Pp(Ao.ro) C 
Roles(P) is the least set satisfying the following: 

• If Ao.ro G corepiG), Ao.ro G r^{Ao.ro). 

• If A.r G Pp (Ao.ro), and A.r <— B.ri G P, then 
P.ri G P^(Ao.ro). 

• If A.r G P.p(Ao.ro) and A.r <— A.ri.r 2 G P, 
then A.ri G Pp(Ao.ro) and X.r 2 G Pp(Ao.ro) 
for all A G |A.ri] 
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• If A.r G r’p(Glo.ro) and A.r <— Ai.ri n ... fl 
An-r-n G V, then, for each i G [l,n] if Ai.n G 
core-p{g), Ai.n G F^iAo-ro). □ 

It is easy to prove by a simple induction on the 
steps in the iterative construction of r^{Ao.ro) that 
r^(Ao.ro) C coreviQ) 

We now have the counterpart of Lemma 3.7. 

Lemma 4.9 Assume T ^ |A.r] Let 77 be a 

role monitor, V = V U {stmt}, where head{stmt) ^ 
r^{A.r), then 

(a) and 

(b) r${A.r)=r$,{A.r). 

Moreover, if V' is obtained from V by (a) adding zero 
or more statements whose head is not in Zip (A.r), and 

(b) removing zero or more statements, then 

(c) lA-r\uB(v) - I^AuB(v')' 

(d) r${A.r) A r^,{A.r). 

Proof (sketch). The result follows by using reasoning 
similar to that used for proving Lemma 3.7. □ 

Negative Dependencies, with Untrusted Roles 

To handle the right hand side of the constraints we 
simply have to generalize Lemma 3.11 in the obvious 
way by taking into account the presence of the role 
monitor. The proof of this lemma is also identical to 
that of Lemma 3.11 

Lemma 4.10 Let 77 = {G,S) be a role monitor, A.r 
be a role, 77 be a principal, 7^ be a state and S be a 
7^-support of D for A.r such that E C 5. Then 

1. 77 G 

Moreover, if V' is obtained from V by (a) removing 
zero or more statements whose head is not in S, and 
(b) adding zero or more statements, then 

2. S is a T^'-support for A.r, and therefore 

3. 77 G □ 

Recall that by Remark 4.4, if A.r ^ S then we have 
that = 0. Consequently, it is easy to 

show that if 77 G |A.r]^^|.pp then there exists a V- 
support of 77 for A.r consisting of roles that are in 

5 . 


Putting Things Together 

We can now prove the result we were aiming at. Dif¬ 
ferently from the case in which all roles were trusted, 
we now want to check that X Q g holds in any 77- 
reachable state V'. The additional problem here is 
we cannot rely on the cooperation of the roles that 
are not in Q (resp. S) in monitoring the constraint 
and telling the constraint owner when a statement 
defining a role in /p(A) is added (resp. a statement 
defining a role in S is removed). Because of this we 
refer to two “pessimistic” semantics, [A] and 

MlB{v)^ if l^iuBiv) ^ yJlBiv)- ff 

this does not hold, then, by Theorem 4.5 the chance 
is high that in some reachable V' the constraint is 
violated. If |A] C does hold, then we 

can apply the following: 

Theorem 4.11 (Main with Untrusted Roles) 

Let 77 = {G,<S) be a role monitor. Assume that 
I^IUB(V) - MlB{v)- E be a P-support of 

|A1 uB(v) f®'- ^ S C 5, and let V '—> V 

be a (possibly multistep) change from V to V. If 

(i) V stmt€ V'\P, headfstmf) ^ 7”p(A), and 

(ii) V stmt G V\P', head{stmf) ^ E 

Then IA]gr^(p,) C lgjiB{r')- 

Proof. Take any 77 G |A] f’A Lemma 4.9, 77 G 

l^luBiv)- assumption, 77 G 

Lemma 4.10, 77 G IgliBiv)- Hence the thesis. □ 

Because of Theorem 4.11, in the presence of un¬ 
trusted roles we can deploy a monitoring procedure 
very similar to that described after Theorem 3.12. 
First we check that IX}bb{v) — I^IlTJcp) holds^. 
While doing this, we compute a P-support E of 
|A1 ijB(v) S —this time a E such that E C 5. Sec¬ 

ond, we have to build 7”p (A). Third, we monitor the 
roles in E and in Fp (A) so that each time a statement 
defining a role in Fp(A) (resp. E) is added to (resp. 
deleted from) P, the constraint owner is warned. 
When the constraint owner receives a warning, he 
has to (a) check whether \/k\ijB{v) — I^'IlTJcp) 
holds, and (b) recompute Fp(A) and E. 

Example 4.12 Reconsider again Example 3.3. Sup¬ 
pose that Emergency, dept is (the only role) not in Q, 

^Even if this does not hold, when neither A nor g is static, it 
is possible that C I^] 5 p( 7 :>/) for all V' reachable from 

V. However, in general, for the class of constraints we con¬ 
sider, determining this is PSPACE-hard [13], i.e., intractable. 
Thus, our technique makes an efficient conservative approxi¬ 
mation for the more general constraints we consider. 
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then we have that Emergency.responsePersonnel ^ 
core'p(Q). Therefore 

r^{Emergency.hazmatPersonnel) = 

{ Emergency.hazmatPersonnel, 

AT F.hazmatTraining } 

Nonetheless, if ATF.hazmatDB G S we have that 

\Emergency.hazmatPersonnel\ 

C \ATF.hazmatDB\j^]^fjy.^ 

so by Theorem 4.5 we know that the constraint 

Emergency .ha zmat Personnel Q AT F.hazmatDB 

is satisfied in all reachable V. By Theorem 4.11, 
if the two roles Emergency .ha zmat Personnel, and 
AT F.hazmatTraining, prompt a warning when a 
statement defining one of them is added and the 
role AT F.hazmatDB gives a warning when one of 
its statement is removed, then the constraint needs 
to be re-checked only when a warning is given. 
In that case, we also have to recompute E and 
r^{Emergency.hazmatPersonnel). Theorem 4.11 
guarantees that no matter which changes are made 
to P, until a warning is given, we still have that every 
reachable^ V' satisfies the constraint. □ 

5 Related Work 

In database theory, an integrity constraint is a query 
that must remain true after the database has been 
updated. Originally, integrity constraints were in¬ 
troduces to prevent incorrect updates and to check 
the database for integrity. Nevertheless, integrity 
constraints have later been used for a number of 
purposes, ranging from query optimization to view 
updating. We refer to [9, 6] for illustrative exam¬ 
ples of the uses of integrity constraints in deductive 
databases. 

In Section 2, we listed several papers presenting 
various trust management systems. None of these 
incorporates a notion of integrity constrains. The 
work in trust management that is most closely re¬ 
lated is [13]. As we discussed at the beginning of 
Section 4, that work is complimentary to ours. It 
studies the problem of determining, given a state V, 
a role monitor TZ, and a constraint Q, whether there 
is a reachable state in which Q is violated. By con¬ 
trast, we analyze the problem of which roles must 
have their definitions monitored to detect when such 
a "P is entered. 

® Notice that changing F also changes the reachability rela¬ 
tion, i.e., the set of reachable 'P's. 


6 Conclusion 

We introduce the use, monitoring, and enforcement 
of integrity constraints in trust management-style au¬ 
thorization systems. We consider the portions of the 
policy state that must be monitored to detect vio¬ 
lations of integrity constraints. We also address the 
extra difficulty that not all participants in a trust 
management system can be trusted to assist in such 
monitoring, and show how many integrity constraints 
can be monitored in a conservative manner so that 
trusted participants detect and report if the system 
enters a policy state from which evolution in unmoni¬ 
tored portions of the policy could lead to a constraint 
violation. 
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A Proofs 

Lemma 3.7 Let "P' = 7^ U {stmt}, where head{stmt) ^ r-p^A.r), then 

(a) lA.rjsp^v) = lA-rjsPiv'), and 

(b) FpiA.r) = rp,{A.r). 

Moreover, if V' is obtained from V by (a) adding zero or more statements whose head is not in Fp^A.r), 
and (b) removing zero or more statements, then 

(c) 2 lA.rlsPiv), and 

(d) rp(A.r) A rp/(A.r). 

Proof. 

(a) Let P = SP{P), and P' = SP{P'). First, summarize some logic-programming notation: we denote by 
Bp the Herbrand base of P (and P'), consisting of the set of all ground (variable-free) atoms. Ground{P) 
denotes the set of all ground instances of clauses in P. The usual Tp operator is defined as follows: let 
/ C Bp, then Tp{I) = [H \ PI :— Bi,...,Bn G Ground{P), and Bi,...,Bn G /}• As usual, we define 
Tpt° {I) := I, and Tp'|'”+i (I) := rp(Tpt” (/)). By well-known results (see e.g., [1]), since P contains no 
function symbols, for some n we have that 

Tpt” (0) = Mp = the least Herbrand model of P 

Now we define the LP-counterpart of Fp^A.r)-. Fatom = {m(B,r,D) \ B.r G Fp(A.r) AD G Principals(P)} 
and the complement Fatom = {m{B,r, D) \ B.r ^ Fp{A.r) AD € Principals('P)}. Furthermore, let / and F 
be two sets of ground atoms such that I' = I U some atoms in Fatom 7 and I C Mp. By the monotonicity 
of Tp, we have that 

Tp,{F)ATp{I) (11) 

We now want to show that 

rp,(/')\Tp(/) ^ ratom ( 12 ) 

We proceed by contradiction and assume that there exists FI such that 

H G Tpf F)\Tp{I) and H ^ ratom (13) 

Since Ft G Tpi{F), there exists a ground instance FI :— Hi,..., of a clause cl € P such that Hi,..., H„ G 

F. Since H G Fatom 7 cl G P. Therefore H G Tp(F). We now want to show that 

73l, H„ G Fatom (14) 

Since F\I C Fatom? this will demonstrate that Hi, ... ,Bn G /, and therefore that H G Tp{I), contradicting 
(13). We distinguish two cases according to the kind of statement from which cl is generated. Case 1: 
cl is the LP-translation of a simple inclusion or intersection inclusion (not a linking inclusion). Then 
Hi,..., H„ G Fatom by Definition 3.6. Case 2: cl is the LP-translation of a linking inclusion (linked role). 
Then H :— Hi,..., H„ has the form m{A, r, D) :— m{A, ri, H), m{B, r 2 ,D). By Definition 3.6, m{A, ri,B) G 
Fatom- Since /'\/ C Fatom? and m{A,ri, B) G F, we have that m{A,ri, B) G I. Since / C Mp, then 
H G |A.r] 5 p(p). Therefore, again by Definition 3.6, m{B,r 2 ,D) G Fatom? proving (14) (which in turn 
contradicts 13). 

Now that we have proven (12), since for each m we have that Tp Mp, from (11), (12) and a 
straightforward inductive reasoning it follows that, for each m, 

Fp,rrn^Fprm and Tp,r ( 0 )\rpr ( 0 )cr^ 

Since the least model of P' and P is the least fixpoint of these continuous operators on a finite lattice, 
this demonstrates that Mpi\Mp C Fatom- Since by definition A.r G Fp{A.r) it follows that |A.r] 5 p(p) = 
|A.r] 5 p(p/). Hence the thesis. 
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(b) Since head{stmt) ^ F-p^A.r), head{stmt) is not reachable from A.r. So removing stmt does not alter 
the reachability from A.r. 

(c) and (d) First notice that, by construction, 

r-p^A.r) A r(^-p\{cred})iA.r) (15) 

Now, suppose that we have a chain V = VotVi, ... ,'Pn = iPi, where each Vi+i is obtained from Vi by either 
adding a statement whose head is not in r-p(A.r) or removing a statement. We now show by induction on 
i that for each i S [l,n]: A \A.r\spij,.-^ and V-p^A.r) A r-p.{A.r)^ which imply the thesis. The 

base case is trivial, as Vi = V, for the inductive case we have two subcases: Case 1. If Vi+i is obtained 
from Vi by adding a statement stmt such that head{stmt) ^ r-p{A.r), then by the inductive hypothesis 
head(stmt) ^ r-p.(A.r), and, by statements (a) and (b) we have that |A.r] 5 p( 7 r,.) = ) and 

r-p^{A.r) = /p.^j(A.r), and the result follows from the inductive hypothesis. Case 2. If Vi+i is obtained 
from Vi by removing a statement, then the result follows from the monotonicity of |pl.r]gp(p.) (1), and (15). 
□ 


Proposition 4.7 Let P be a set of statements and ^ be a set of roles. If A.r ^ core'p{Q), then |A.r| = 

Principals(P) U {T}. 

Proof. Consider the following closure operator on sets of roles [cl-p : p(Roles('P)) ^ p(Roles(P))). Let A 
be a set of roles. 


cl-p{A) 



A 


u 

{A.r 

A.r 

u 

{A.r 

A.r 

u 

{A.r 

A.r 

u 

{A.r 

A.r 


B.r S V and B.r G A} 

A.ri.r2 G V and A.n G A} 

A.ri.r 2 G V and 3B G |^.ri] JJB(V) ^ 

Bi.ri n ... Bn-rn G V and Vi G [1, n] Bi.n G A} 


It is easy to see that core-p{G) is—by construction—exactly the least fixpoint of dp containing Q, the 
complement of Q. Now, dehne dp t O(^) := and dp '[ n+ 1(A) := dp{dp ] n{A)). Since dp is 
monotonically increasing, and since p(Roles(P)) is finite, we have that, for some n. 

dp^ n(Q) = least fixpoint of dp containing Q = corep{Q) (16) 

Now, by definition, for every A.r G G, I^-p] UB{v) ~ Principals('P) U {T}. 

By the definition of dp, it is straightforward to check that this implies that for every A.r G dp{G), 
l-^-^luB(v) = Principals(P) U {T}. 

By iterating this reasoning it is straightforward to check that this implies that for every A.r G dp t n(G), 
l^-rJuBiv) = Principals(P) U {T}. 

The thesis follows from (16). □ 


B Computing the Support Bottom-Up 

We now show how one can compute the support in bottom-up way. We do this by defining a semantics: 
JS : Roles)?^) ^ p(Principals(7^) x p(Roles(7’))) for which it holds that if JSplA.r) ^ {D, S) then S 
is a minimal 7^-support of D in A.r. The construction is parametric wrt the partial order used to define 
minimality. 

Definition B.l (Justified Set Semantics ffS) In the following algorithm CurrentSet and OldSet are 
mappings Roles(P) ^ p(Principals(T’) x p(Roles(T’)) x N). We say that (I?i, Si, ii) subsumes {D 2 , S 2 , 12 ) 
iff Di = D 2 and Si C E2. 

init phase 

for each role A.r, CurrentSet {A.r) := 0 

repeat 
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for each role A.r, do OldSet{A.r) := CurrentSet{A.r) 
for each stmt gV do 

if stmt = A.r <— B then 

remove from Currentset (A.r) all triples subsumed by {B, {A.r}, 1 ) 

CurrentSet{A.r) ~ CurrentSet{A.r) U {{B, {A.r}, 1 )} 
if stmt = A.r <— B.s then 

for each {D, E, i) £ CurrentSet{B.s) do 

if {D, S U {A.r}, i + 1 ) is not subsumed by any triple in CurrentSet{A.r) then 
remove from CurrentSet (A.r) all triples subsumed by {D, E U {A.r}, i + 1 ) 

CurrentSet{A.r) ~ CurrentSet{A.r) U {{-D, E U {A.r}, i + 1 )} 
if stmt = A.r <— A.r\.r 2 then 

for each {B, Ei, ii) £ CurrentSet(A.ri) do 
for each {D, E2, 12) £ Currents et {B .r 2) do 

if {D, El U E2 U {A.r}, ii +12) is not subsumed by any triple in CurrentSet{A.r) then 
remove from CurrentSet (A.r) all triples subsumed by {D, Ei U E2 U {A.r}, ii +12) 
CurrentSet{A.r) CurrentSet{A.r) U {{D, Ei U E2 U {A.r}, ^1+12)} 
if stmt= A.r <— -Bi.ri n B 2 .r 2 then 

for each (_D, Ei, ii) £ CurrentSet{Bi.rf) do 

if, for some E2, 12 {D, E2, 12) £ Currentset{B2.r2) then 

if {D, El U E2 U {A.r}, ii +12) is not subsumed by any triple in CurrentSet{A.r) then 
remove from CurrentSet (A.r) all triples subsumed by {D, Ei U E2 U {A.r}, ii +12) 
CurrentSet (A.r) := CurrentSet{A.r) U {{D, Ei U E2 U {A.r}, ^1+^2)} 

until for each role A.r, OldSet{A.r) = CurrentSet{A.r) 

Then, for each role A.r, we define JS-p{A.r) := {{D, E) | 3i CurrentSet (A.r) 9 {D, S, z)}. □ 

The following result demonstrates that this semantics is equivalent to the standard one, and that it 
provides us with appropriate support-sets. 

Theorem B.2 Let A.r be a role, D a principal, and V a state. Then {D, Eq) £ JS-piA.r) if and only if 
Eq is a minimal 'P-support of D in A.r. 

Proof. (<=) Assume Eq is a minimal set of roles such that D £ \A.r\gpi^-p\^^y We show by induction on the 
construction of Tsp(v\s^) t” (0) that for all j and for each Ao.ro £ Eq, if m{Ao,ro,D) £ Tsp(p\j.g) (0), 
then at some stage in the execution of the algorithm, for some z and E, {D, E, z) £ Currentset{Ao.ro) with 
E C Eq. The desired result then follows by taking Ao.ro = A.r, by using the fact, shown below in the second 
part of the proof, that {D, E, z) £ Currentset{Ao.ro) implies m{Ao,ro,D) £ Tgp^p\^'J (0), and by using 
the minimality of Eq. 

Basis. When j = 0, the result is trivial. 

Step. We assume the hypothesis holds for j and show that it holds for j + 1. We proceed by case analysis 
of the clause used to add m{Ao, ro,D) to Tgp(^p\^^^ '1'-^+^ (0). We show here only the case of linking inclusion; 
the other cases are similar. 

Case: m{Ao,ro,tZ) m{Ao,ri,7Y),m{7Y,r2,7Z) £ SP{P\so)- By definition of Tp, there exists B such 
that m(Ao,ri, B),m{B,r 2 , D) £ Tsp(p\^^) (0). So by induction hypothesis, there exist zi,Z 2 ,Ei,E 2 such 

that Ei,E2 C Eq, { B , El, zi) £ Currentset{Ao.ri), and {D, E 2 , 12 ) £ Currentset{B.r 2 ) by some stage 
in the execution. Consider the first such stage. In the following iteration, either Currentset{Ao.ro) already 
contains a triple that subsumes {D, Ei U E 2 U {Ao.ro}, zi -|- Z 2 -b 1), or else this triple is added. In either 
case, at the end of the iteration, CurrentSet{Ao.ro) contains a triple that subsumes {D, Eq, k), for all k. 
(Note El U E 2 U {Ao.ro} C Eo.) 

(=>) We show by induction on i that if {D, E, z) £ CurrentSet {A.r), then m{A,r,D) £ Tgpiv) }" (0). 
This direction of the theorem then follows because, by the other direction, all minimal P-support are in 
CurrentSet{A.r) , and the algorithm removes all entries that are subsumed by other entries. 

Basis, i = 1. In this case, E = {A.r} and there is a statement A.r<— D £ V. In this case m{A,r,D) £ 
SP{'P\e), so m{A,r, D) £ Tsp(v) (0) for all j £ N. 

Step. We assume the hypothesis holds for all z < A: and show that it holds for z = fc -b 1. We proceed by 
case analysis of the statement used to add {D, E, A: -b 1) to Currentset{A.r). We show here only the case 
of linking inclusion; the other cases are similar. 
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Case: A.r <— v4.ri.r2. In this case there are Si, S 2 , ii, 12, and B such that {B, Ei, zi) € 
CurrentSet(A.ri), {D, S2, 12) G CurrentSet{B.r2), k = ii + Z2, and E = Ei U E2 U {A.r}. By in¬ 
duction hypothesis, m{A,ri, B) G Tsp(v\s,) t” (0) and m{B,r2, D) G Tspcpi^^) t" (0)- By monotonic¬ 
ity of Tp in P, it follows that m{A,ri, B),m{B,r2, D) G Tgp(^p\^'^ t” (0). Consider the first j such 
that m{A,ri, B),m{B,r2, D) G Tgpcpi^) (0). Because m{A,r, 7 Z) m{A,ri, 7 Y),m( 7 Y,r 2 ,^Z) is in 

SP{P\i:), it follows that m{A, ri,D) G T5p(p|^) (0), the latter being a subset of Tgp(^p\^-^ t” (0). □ 

It must be acknowledged that the algorithm given here may construct a value for CurrentSet whose size 
is combinatorial in the size of 7^. In practice, a variant of this algorithm should be used in which a small 
constant number of entries in CurrentSet {A.r) are stored for each D G |v4.r]5p(p). 
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